On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote: >> From: Chris Buxton <cli...@buxtonfamily.us> > >> If a name exists in the response policy, and also exists in the real >> Internet namespace, the value from the policy is returned. But if it >> doesn't exist out on the Internet, then the value is not returned -- >> an NXDOMAIN (or SERVFAIL, or whatever) is returned instead. >> >> I've known this for a while but haven't understood why it is thus. >> Today, it has become a problem for me. If I set a policy of "this >> name gets response X", I expect that policy to be used rather than >> "this name gets response X unless it doesn't exist out on the >> Internet or can't be resolved due to an error." > > RPZ stands for "response policy zone" and concerns rewriting responses > instead of queries. The answer section of an NXDOMAIN or SERFVAIL > response does not contain a domain name that could trigger rewriting. > > Rewriting queries instead of responses would fail to rewrite CNAME > chains.
Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer. Chris Buxton BlueCat Networks _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
